Skip navigation

Part 2 is a listing of all the items in each network checklist.

  1. Cisco Perimeter L3 Switch       Total Checks = 160
  2. Generic Perimeter L3 Switch   Total Checks = 142
  3. Cisco Perimeter Router             Total Checks = 136
  4. Generic Perimeter Router         Total Checks = 118
  5. Juniper Perimeter router          Total Checks = 111


The Network Infrastructure Security Technical Implementation Guide (STIG) is for securing a Inter-networking device such as a router or a switch. It is a good source of knowledge to secure a system based on best security practices.

The guide is divided into a Infrastructure and Perimeter type device.

  • The Infrastructure device being the common intermediary node within an autonomous system (AS).
  • The Perimeter device being the outer most edge type device.

We also see that is it being divided up further by Router and L3 Switch type.

  • Router being the traditional layer 3 type device: OSI model layer 3 – Network layer, routing protocols BGP, OSPF, RIP.
  • Layer 3 (L3) switch (L2 – Layer 2 Data Link layer) being a high port density ethernet device that supports Layer 3 functionality (Routing).

The check list covers many security aspects.  The identification associated with each check further categorizes into:

NETxxxx – x representing a numerical value

Infrastructure Router
NETxxxx – General network security configuration checks.
NET-IPV6-xxx – IPv6 related security configuration checks.
NET-TUNL-xxx – VPN or tunnel related security configuration checks.
NET-MCAST-xxx – Multicast related security configuration checks.

Perimeter Router
NETxxxx – General network security configuration checks.
NET-IPV6-xxx – IPv6 related security configuration checks.
NET-TUNL-xxx – VPN or tunnel related security configuration checks.
NET-MCAST-xxx – Multicast related security configuration checks.

Perimeter L3 Switch
NETxxxx – General network security configuration checks.
NET-IPV6-xxx – IPv6 related security configuration checks.
NET-TUNL-xxx – VPN or tunnel related security configuration checks.
NET-MCAST-xxx – Multicast related security configuration checks.
NET-NAC-xxx – Network Admission Control related security configuration checks.
NET-SRVFRM-xxx – Server Farm related security configuration checks.
NET-VLAN-xxx – Virtual LANs related security configuration checks.

Infrastructure L3 Switch
NETxxxx – General network security configuration checks.
NET-IPV6-xxx – IPv6 related security configuration checks.
NET-TUNL-xxx – VPN or tunnel related security configuration checks.
NET-MCAST-xxx – Multicast related security configuration checks.
NET-NAC-xxx – Network Admission Control related security configuration checks.
NET-SRVFRM-xxx – Server Farm related security configuration checks.
NET-VLAN-xxx – Virtual LANs related security configuration checks.

L2 Switch
NETxxxx – General network security configuration checks.
NET-NAC-xxx – Network Admission Control related security configuration checks.
NET-VLAN-xxx – Virtual LANs related security configuration checks.

The Network Infrastructure STIG is freely available from: http://iase.disa.mil/stigs/net_perimeter/network_infra/routers_switches.html 

Started providing examples of what a Cisco IOS CCE would look like based on the DISA Network Infrastructure STIG checklist.

Link to the example CCE http://www.c3isecurity.com/home/cce

I may add additional entries going forward.

20111105-110211.jpg

I had the privilege of presenting at the 7th annual IT Security Automation Conference.  I represented the Apex Assurance Group where I am working on DoD IA, STIG and SCAP services.

SCAP for Inter-networking Devices

Abstract: Survey on SCAP for inter-networking devices such as routers and switches. The critical infrastructure and enterprise networks today are built on routers and switches to transport communications to endpoints and beyond. SCAP expansion into discovering and interrogating inter-networking devices fits into this continuous monitoring paradigm. The presentation will cover traditional SCAP methods used to probe devices and will discuss other methods. The presentation will also explore current and future SCAP capabilities for inter-networking devices.

Open Vulnerability and Assessment Language (OVAL) is a open standard used to assess a system.  Typically used for security assessments.

There are 5 tests with the Cisco IOS OVAL definitions schema.  Though limited, one could make do with what is available. From what I’ve seen you really only need two tests.  The version55_test and line_test is all that is needed for a Cisco IOS DISA STIG compliance check.

< version55_test >

Test used to parse and identify the IOS version.  Below is an example of the version from the Cisco IOS Show version command.

splinter1#show version
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Thu 28-Oct-10 17:09 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1)

splinter1 uptime is 12 weeks, 6 days, 3 hours, 13 minutes
System returned to ROM by power-on
System image file is "flash:c2800nm-adventerprisek9-mz.150-1.M4"
Last reload type: Normal Reload

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 2851 (revision 53.51) with 509952K/14336K bytes of memory.
Processor board ID FTX0925A1BF
2 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device#      PID            SN
-------------------------------------------------
*0        CISCO2851         FTX0925A1BF

Configuration register is 0x2102

splinter1#

< line_test >

Used to parse the the out put of the Cisco IOS show command.

Below is a example output of a Cisco IOS show process command.  It lists all the process running on a IOS device.  The output was cut off for brevity.

!
splinter1#show processes
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%
PID QTy       PC Runtime (ms)    Invoked   uSecs    Stacks TTY Process
1 Cwe 437AEFE4          168       4562      36 5428/6000   0 Chunk Manager
2 Csp 40070050         1500    1557371       0 2568/3000   0 Load Meter
3 Mwe 409C7EDC            0          1       023260/24000  0 LICENSE AGENT
4 Mwe 43891A08            0          1       023404/24000  0 EDDRI_MAIN
5 Lst 437F6030      9052256    1184857    7639 5332/6000   0 Check heaps
6 Cwe 437EF4F4          108        318     339 5492/6000   0 Pool Manager
7 Mwe 437EF460            0          1       0 5672/6000   0 DiscardQ Backgro
8 Mst 41A4566C            0          2       0 5532/6000   0 Timers
9 Mwe 409BC90C            0          1       0 5668/6000   0 License Client N
10 ME  41A5C1D4           48        294     163 9792/12000  0 Exec
11 Mwe 40117178            0          1       0 5696/6000   0 IPC Process leve
12 Mwe 4011703C            4     129774       0 5728/6000   0 IPC Dynamic Cach

< global_test >

Used to parse the config file for a certain Cisco IOS configuration command.

< interface_test >

Used to test for a  interface IOS commands.

< snmp_test >

Used to parse the snmp community string and  snmp access-list.

< tclsh_test >

Not sure what this test is for.   Not all IOS versions (trains) have the TCL parser feature.

Blackwater off springs in the cybersecurity.

Jellyfish http://jellyfishintel.com

http://shaneharris.com/news/from-the-team-that-brought-you-blackwater-comes-jellyfish/

Advanced Persistent Threat (APT) continues.

From what I can tell APT is synonymous with Chinese cyber incursions. APT is used by  public relations departments to imply without directly stating.  There are many advantages to using such labels as it does not directly accuse.  So its all part the Information Warfare (IW).

Security Firm Is Vague on Its Compromised Devices – NYT
http://www.nytimes.com/2011/03/19/technology/19secure.html?_r=1&ref=technology

RSA open letter to customers
http://www.rsa.com/node.aspx?id=3872

Securities Exchange Commission:
http://www.sec.gov/Archives/edgar/data/790070/000119312511070159/dex992.htm

 

Lockheed

http://www.reuters.com/article/2011/05/27/us-usa-defense-hackers-idUSTRE74Q6VY20110527

L3 follow on attack?

http://www.wired.com/threatlevel/2011/05/l-3/

 

The recent power outage in North East Brazil begs the question, was it hacker saboteurs or natural disaster?

http://on.wsj.com/e0XHVa

Brief recount of how Russia invaded Afghanistan.

by KALUGIN

http://www.foreignpolicy.com/articles/2009/12/11/how_we_invaded_afghanistan

Follow

Get every new post delivered to your Inbox.

Join 48 other followers